IPsec Remote Access VPN Example Using IKEv1 with Xauth

This document covers IPsec using Xauth and a mutual Pre-Shared Key.

Note

The current best practice is to use IKEv2 for IPsec Remote Access on modern clients. See IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 for details.

This setup has been tested and working on various Android and iOS devices. Other clients may work as well.

IPsec Server Setup

This is the setup for the pfSense® software side of the connection

Mobile Clients

  • Navigate to VPN > IPsec, Mobile Clients tab

  • Set the options as follows:

    Enable IPsec Mobile Client Support

    Checked

    User Authentication

    Local Database

    Provide a virtual IP address to clients

    Checked

    Enter an unused subnet in the box (e.g. 10.11.200.0), pick a subnet mask (e.g. 24)

  • Set other options if desired

  • Click Save

  • Click Apply Changes

  • Click fa-plus Create Phase 1 at the top of the screen if it appears

Phase 1 settings

  • Navigate to VPN > IPsec

  • Locate the Mobile Phase 1 in the list

  • Click fa-pencil to edit the Mobile Phase 1

  • Enter the following settings:

    Description

    Mobile IPsec PSK + Xauth

    Key Exchange Version

    IKEv1

    Authentication method

    Mutual PSK + Xauth

    Negotiation mode

    Aggressive or Main depending on client requirements.

    My identifier

    My IP address

    Peer identfier

    User fully qualified domain name / E-mail, vpnusers@example.com

    Pre-Shared Key

    A long/random pre-shared key suitable for giving to users.

    Encryption Algorithm

    Create several entries which match values for common clients. Add them in order of preference with the most secure options listed first. For example:

    • Algorithm AES 256, Hash SHA512, DH Group 14

    • Algorithm AES 256, Hash SHA256, DH Group 14

    • Algorithm AES 256, Hash SHA1, DH Group 14

    • Algorithm AES 128, Hash SHA1, DH Group 2

    Life Time

    86400

    NAT Traversal

    Force

  • Click Save

Phase 2 settings

  • Click fa-plus Show Phase 2 Entries inside the Mobile phase 1 to expand its phase 2 list

  • Click fa-plus Add P2 to create a new phase 2 entry

  • Enter the following settings:

    Description

    Mobile IPsec

    Mode

    Tunnel IPv4

    Local Network

    The network on the firewall site which the clients must reach, e.g. LAN Subnet, or Network 0.0.0.0/0 to send all traffic over the VPN.

    Protocol

    ESP

    Encryption Algorithms

    AES 128

    Hash Algorithms

    SHA1

    PFS key group

    off

    Lifetime

    28800

  • Add additional phase 2 entries for local networks if necessary

  • Click Save

  • Click Apply Changes

User Settings

  • Navigate to System > User Manager

  • Add a user

  • Edit the user and grant them the User - VPN - IPsec xauth Dialin privilege or add them to a group with this privilege.

    Note

    Xauth uses both this per-user password and the value of the pre-shared key for different types of authentication. The pre-shared key is used to authenticate the tunnel itself and the per-user password ensures that a particular user is authorized to access the tunnel.

Firewall Rules

Add firewall rules to pass traffic from clients

  • Navigate to Firewall > Rules, IPsec tab

  • Add rules that match traffic to allow from mobile clients or add a rule to pass any protocol/any source/any destination to allow everything.

Device Setup (Android)

Note

The settings below are from pure Android 11.x. These exact settings may not present on all Android devices, depending on the Android version and changes made by the OEM.

See Remote Access Mobile VPN Client Compatibility for additional details.

  • Swipe down twice from the top of the screen

  • Tap the Settings cog

  • Tap Networks & Internet, Advanced, VPN

  • Tap +

  • Enter the connection settings as follows:

    Name

    pfSense Mobile VPN or another suitable description

    Type

    IPsec Xauth PSK

    Server Address

    The address of the server.

    IPsec Identifier

    If the mobile IPsec phase 1 is set for Aggressive fill in the identifier set in phase 1 (e.g. vpnusers@example.com).

    If the mobile IPsec phase 1 is set for Main, leave this at the default empty value of (not used).

    Pre-Shared Key

    The value of the pre-shared key from the mobile phase 1 entry.

    Username

    The username for this xauth user

    Password

    The password for this xauth user

  • Tap Save

Device Setup (iOS)

  • Tap Settings > VPN or Settings > General > VPN

  • Tap Add VPN Configuration

  • Set Type to IPsec

  • Enter the settings as follows:

    Description

    pfSense Mobile VPN or another suitable description

    Server

    The address of the server.

    Account

    The username for this xauth user

    Password

    The password for this xauth user (or leave blank to be prompted every time)

    Group Name

    The identifier set in phase 1 (e.g. vpnusers@example.com).

    Secret

    The value of the pre-shared key from the mobile phase 1 entry.

Troubleshooting

By default iOS will tunnel all traffic over the VPN including traffic going to the Internet. If Internet sites are inaccessible once connected, a DNS server may need to be pushed to the client for it to use. This could be the LAN IP address of the firewall if the DNS resolver is enabled or a public DNS server such as 8.8.8.8 and/or 8.8.4.4.

The reason for the above is that the cellular provider is likely giving mobile devices DNS servers that are only accessible from their network. Once connected to the VPN the DNS servers are now being accessed via the VPN instead of the provider network, thus the queries are likely to be dropped. Supplying a local or public DNS server will work around this problem.